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DETAILED ACTION 

CLAIMS PRESENTED 

Claims 1-15 are presented. 

CLAIM REJECTIONS 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed 
or described as set forth in section 102 of this title, if the differences between the 
subject matter sought to be patented and the prior art are such that the subject 
matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was 
made. 

Claims 1-15 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Riggins et al. (cited by Applicant, International Publication Number WO 00/1 1832, 
hereinafter also referred as "Riggins"). 

Regarding claim 1, Riggins teaches "A security system for controlling access to 
one or more application functions located on a server or accessible via server, each 
application function having an associated security level, wherein one or more clients 
communicate with said server by means of requests for accessing one of said 
application functions using a network, wherein access to said application functions is 
controlled by security requirements (page 3, line 4 to page 4 line 2, global server 
handing requests for accessing applications), comprising: 



Application/Control Number: 09/810,354 Page 3 

Art Unit: 2134 

an authentication component functionally separated from said clients and said 
application functions for processing said client request independently of said client type, 
containing more than one authentication mechanisms and selecting and executing an 
authentication mechanism from said more than one authentication mechanisms based 
on the information contained in the client request resulting in a security state (page 6, 
lines 20-29, the global server functionally separated from clients, and the global server 
providing authentication through firewall); 

a security component containing a ... describing security requirements (security 
level) for accessing application functions, comparing said security state associated with 
said client with the security level of the application function and allowing access to the 
application function if the security state fulfills the security level (page 6, lines 20-29, 
global server providing security through firewall; page 3, line 19 to page 4 , line 2, 
multiples levels of authentication and multiple levels of resource access). 

These passages of Riggins are not clear about a "security policy." A policy (in 
computer science) usually refers to a logical way of solving a problem. Riggins does 
discuss security levels being "enabled" page 3, line 19 to page 4 , line 2, multiples 
levels of authentication and multiple levels of resource access. "Enabling" usually refers 
a mechanism of physical (rather than logical) implementation. 

Nevertheless, it was well known in the art to have a "security policy" (rather than 
predetermining a physical implementation) for the motivation of having flexibility in 
security. 
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It would have been obvious at the time of the claimed invention to combine 
"security policy" with the teachings of Riggins so as to teach the claimed invention for 
the motivation noted in the previous paragraphs. 

Regarding claim 2 (wherein said clients are PVC-devices), Riggins suggests 
such (page 6, lines 16-19, wireless channel 146 permitting mobile access thereby 
suggesting PVC devices). 

Regarding claim 3 (said authentication component and said security component 
are integrated in one component stored on a server), Riggins suggests such (global 
server being used for authentication and for security, as noted in the rejection of claim 

1). 

Regarding claim 4 (said authentication component consists of security plug-ins 
whereby each authentication mechanism is laid down in a separate security plug-in), 
Riggins suggests such (page 3, line 1 9 to page 4, line 2, multiple levels of resource 
access suggesting separate plug-ins). 

Regarding claim 5 (whereby the authentication mechanism may be 
UserlD/Password, Challenge/Response or digital signature), Riggins suggests such 
(page 3, line 19 to page 4, line 2, based on user status, suggesting such mechanism). 

Regarding claim 6 (a component (ADL) for converting PVC-device specific 
requests into canonical requests before said request is used by said authentication 
component), Riggins suggests such (page 3, line 19 to page 4, line 2, global server 
using stored keys, suggesting canonical requests rather than device specific requests). 
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Regarding claim 7, Riggins teaches "A method for controlling access to one or 
more application functions stored on a server or accessible via server, each application 
function having an associated security level, wherein one or more clients communicate 
with said server by means of requests for accessing one of said application functions 
using a network, whereby access to said application functions is controlled by a security 
requirements (page 3, line 4 to page 4 line 2, global server handing requests for 
accessing applications), comprising the steps of: 

... all incoming requests created by said clients to an authentication component 
which is functionally independent from said clients and saga application functions (page 
6 } lines 20-29, the global server functionally separated from clients, and the global 
server providing authentication through firewall), said authentication component 
comprising the steps of 

authentication of said client by determining an authentication mechanism 
provided by said authentication component by means of authentication information 
contained in said request and applying said authentication mechanism; storing a result 
of said authentication and said authentication information or parts of it contained in said 
request as a security state; using security requirements for said one of said application 
functions to be accessed; comparing said stored security state with said security 
requirements for accessing the requested application function; and invoking said 
requested application function if said security state fulfills said security requirements 
(page 6, lines 20-29, the global server functionally separated from clients, and the 
global server providing authentication through firewall). 
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These passages of Riggins are not clear about a "routing." A routing (in 
computer science) usually refers to choosing among multiple paths between source and 
destination. Riggins does discuss global access - global server. 

Nevertheless, it was well known in the art to have a "routing" for the motivation of 
providing a choice among paths (choices usually made on basis of traffic load or 
security). 

It would have been obvious at the time of the claimed invention to combine 
"routing" with the teachings of Riggins so as to teach the claimed invention for the 
motivation noted in the previous paragraphs. 

Regarding claim 8 (wherein said incoming requests are canonical requests), 
Riggins suggests such (page 3, line 19 to page 4, line 2, global server using stored 
keys, suggesting canonical requests rather than device specific requests). 

Regarding claim 9 (said canonical requests are created by a Device Adaptation 
Layer which converts client specific requests into canonical requests), Riggins suggests 
such (page 3, line 19 to page 4, line 2, global server using stored keys, suggesting 
canonical requests rather than device specific requests). 

Regarding claim 10 (comprising the further steps of: 

creating a session identifier when establishing a communication between a client 
and a server and using said session identifier in all requests and responses between 
said client and said server), Riggins suggests such (page 3, line 19 to page 4, line 2, 
global server using stored keys when establishing communication channels, suggesting 
such session identifiers). 
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Regarding claim 1 1 (whereby said session identifier and said security state are 
placed in a cookie, whereby said cookie is inserted into each request and response 
between said client and said server), Riggins suggests such (page 3, line 19 to page 4, 
line 2, global server using stored keys when establishing communication channels, 
suggesting such session identifiers being placed in a storage such as a cookie - which 
is logical because Riggins uses the web).. 

Regarding claim 12, (wherein said clients are PVC-devices), Riggins suggests 
such (page 6, lines 16-19, wireless channel 146 permitting mobile access thereby 
suggesting PVC devices). 

Regarding claim 13 (A computer program comprising computer program code 
portions for performing respective steps of the method according to claim 7 to 12 when 
the program is executed in a computer), such programs are well known in the art for the 
motivation of implementing such methods on a computer. 

Regarding claim 14 (A computer program product stored on a computer-readable 
media containing software code for performing of the method according to one of the 
claim 7 to 12 if the program product is executed on the computer), such products are 
well known in the art for the motivation of implementing such methods on a computer. 

Regarding claim 15, Riggins teaches: A client-server system, wherein one or 
more clients, having client types, communicate with a server by means of requests for 
accessing application functions located on or accessible via said server, wherein access 
to said application functions is controlled by a security system located on said server 
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(page 3, line 4 to page 4 line 2, global server handing requests for accessing 
applications), wherein said security system comprises: 

an authentication component, functionally separated from said one or more 
clients and said application functions for processing client requests independently of 
client type, containing one or more authentication mechanisms and selecting and 
executing an authentication mechanism from said authentication mechanisms based on 
the information contained in the client request, resulting in a security state (page 6, lines 
20-29, the global server functionally separated from clients, and the global server 
providing authentication through firewall); 

a security component containing a ... describing security requirements (security 
level) for accessing application functions, comparing said security state associated to a 
client with the security level of the application function and allowing access to the 
specified application function if the security state fulfills the security level (page 6, lines 
20-29, global server providing security through firewall; page 3, line 19 to page 4 , line 
2, multiples levels of authentication and multiple levels of resource access). 

These passages of Riggins are not clear about a "security policy." A policy (in 
computer science) usually refers to a logical way of solving a problem. Riggins does 
discuss security levels being "enabled" - page 3, line 19 to page 4 , line 2, multiples 
levels of authentication and multiple levels of resource access. "Enabling" usually refers 
a mechanism of physical (rather than logical) implementation. 
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Nevertheless, it was well known in the art to have a "security policy" (rather than 
predetermining a physical implementation) for the motivation of having flexibility in 
security. 

It would have been obvious at the time of the claimed invention to combine 
"security policy" with the teachings of Riggins so as to teach the claimed invention for 
the motivation noted in the previous paragraphs. 

Conclusion 

The art made of record and not relied upon is considered pertinent to applicant's 
disclosure. The art disclosed general background. 
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